Is it possible to find out which ssh key was used to access an account? I have an account on a server that I let several (trusted!) people have access to via ssh. I'd find it useful to be able to know who logged in and when. I have root access so I can look at the logs, but there doesn't seem to be anything there. Is there some configuration switch that will put some way of identifying the key in the logs?

Have you tried playing with LogLevel in sshd_config?
–
EightBitTonyJun 24 '11 at 17:35

It would be amazingly useful to be able to find out which key was used to authorize the current session - in my case, for access control on a Mercurial repository accessed through a shared login. All the existing techniques involve threading the identity through a command option, which is a bit clunky.
–
Tom AndersonJun 28 '11 at 16:28

LogLevel
Gives the verbosity level that is used when logging messages from
sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with a DEBUG level vio-
lates the privacy of users and is not recommended.

@F.Hauri, Unless I'm missing something, wouldn't that return the wrong thing if a PID is reused for a second SSH session? It looks like it will always return the earliest fingerprint for the given PID in auth.log rather than the latest.
–
godlygeekJul 29 '14 at 21:48

Somewhat similar to @user37161's answer. If the shared account is running a custom shell and the shell needs to know what user is there, then running the "wrapper" script might not be sufficient, since information there isn't passed into the custom shell except through methods that could cause race conditions.

Instead you can use the environment= option in authorized_keys file to set an environment variable, which the custom shell can then read.

Inside your .ssh/authorized_keys file, prepend each line with an environment variable set, like the following:

Then the custom shell, or any of the various rc scripts, can read the $REMOTEUSER variable and take the appropriate action.

However, note that if you're using a standard shell, then the logged-in user is capable of modifying the file to thwart various things. Also, there is some risks in allowing users to set environment variables such as LDPRELOAD. See the sshd_config documentation about PermitUserEnvironment.